>>It is currently possible to partly apply security groups, only for one
>>direction.
Currently you can apply the security group in both direction
vmid.fw
[IN]
GROUP-security1 net0 - - - - -
[OUT]
GROUP-security1 net0 - - - - -
but in vmid.fw, I only specify the GROUP name.
But in firewall.pm, I force $group.'-IN' or $group-'OUT.
to be sure that a wrong group-in is not in tap-out for example.
Note, I have send a small fix yesterday on the mailing,
"
@@ -430,7 +430,7 @@ sub generate_group_rules {
# we go the BRIDGEFW-IN because we need to check also other tap
rules
# (and group rules can be set on any bridge, so we can't go to
VMBRXX-IN)
$rule->{action} = 'BRIDGEFW-IN' if $rule->{action} eq 'ACCEPT';
- ruleset_generate_rule($rule, $chain, $rule);
+ ruleset_generate_rule($ruleset, $chain, $rule);
}
}
}
"
maybe this is because you can't apply the group rule in both direction ?
>>Do you really want that (why)?
We need to be carefull, because is GROUP-OUT we jump to BRIDGEFW-IN instead
ACCEPT.
>>Or can we use an extra section for GROUPS, and always apply both directions?
But we could defined
[GROUPS]
securityname1 net0
and generate GROUP-IN and GROUP-OUT from this rule. (only difference is -j
ACCEPT or -j BRIDGEFW-IN)
----- Mail original -----
De: "Dietmar Maurer" <[email protected]>
À: "Alexandre DERUMIER ([email protected])" <[email protected]>
Cc: [email protected]
Envoyé: Mardi 18 Février 2014 12:59:18
Objet: pvefw security group question
It is currently possible to partly apply security groups, only for one
direction.
Do you really want that (why)? Or can we use an extra section for GROUPS, and
always
apply both directions?
------------------------------
[GROUPS]
securityname1 net0
------------------------------
_______________________________________________
pve-devel mailing list
[email protected]
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
